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Abstract 

In this paper, we study the discrete logarithm problem in the finite fields Fqn where n\q— 1. 
The field is called a Kummer field or a Kummer extension of Fq. It plays an important role in 
improving the AKS primality proving algorithm. It is known that we can efficiently construct 
an element g with order greater than 2" in the fields. Let S'g(») be the function from integers to 
the sum of digits in their q-aiy expansions. We present an algorithm that given g'^ {0 < e < q"- 
) finds e in random polynomial time, provided that Sq{e) < n. We then show that the problem 
is solvable in random polynomial time for most of the exponent e with Sq{e) < 1.32n. The 
main tool for the latter result is the Guruswami- Sudan list decoding algorithm. Built on these 
results, we prove that in the field Fqq-i, the bounded sum-of-digits discrete logarithm with 
respect to g can be computed in random time 0{f{w) log^(g''~^)), where / is a subexponential 
function and w is the bound on the g-ary sum-of-digits of the exponent. Hence the problem is 
fixed parameter tractable. These results are shown to be extendible to Artin-Schreier extension 
Fpp where p is a prime. Since every finite field has an extension of reasonable degree which is 
a Kummer field, our result reveals an unexpected property of the discrete logarithm problem, 
namely, the bounded sum-of-digits discrete logarithm problem in any given finite field becomes 
polynomial time solvable in certain low degree extensions. 

1 Introduction and Motivations 

Most of practical public key cryptosystems base their security on the hardness of solving the 
integer factorization problem or the discrete logarithm problem in finite fields. Both of the 
problems admit subexponential algorithms, thus we have to use long parameters, which make 
the encryption/decryption costly if the parameters are randomly chosen. Parameters of low 
Hamming weight, or more generally, of small sum-of-digits, offer some remedy. Using them 
speeds up the system while seems to keep the security intact. In particular, in the cryptosystem 
based on the discrete logarithm problem in finite fields of small characteristic, using small sum- 
of-digits exponents is very attractive, due to the existence of normal bases P|. It is proposed and 
implemented for smart cards and mobile devices, where the computing power is severely limited. 
Although attacks exploring the specialty were proposed ^2j, none of them have polynomial time 
complexity. 
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Let Fqn be a finite field. For (3 £ Fg", if /?, /3'^, /J"^ , • • • form a linear basis of Fqn over 

Fq, we call them a normal basis. It is known that a normal basis exists for every pair of prime 
power q and a positive integer n ^ Page 29]. Every element a in F^n can be represented as 

n— 1 

a = aof3 + aiP'^ H + an-ip'^ 

where Oj G Fg for < i < n — 1. The power of g is a linear operation, 

ai = ao(3'^ + ■■■ + an-2(3'^ + On-i^. 

Hence to compute the q-th power, we only need to shift the digits, which can be done very fast, 
possibly on the hardware level. Now suppose we want to compute where the (7-ary expansion 
of e is 

e = eo + eiq + e2q^ -\ h en-ig""^ (0 < < g for < i < n - 1). (1) 

The sum-of-digits of e in the g-ary expansion is defined as Sq{e) = "^^Zo ^i- When q = 2, the 
sum-of-digits becomes the famous Hamming weight. To compute a^, we only need to do shiftings 
and at most ^^(e) number of multiplications. Furthermore, the exponentiation algorithm can be 
parallelized, which is a property not enjoyed by the large characteristic fields. For details, see 

1.1 Related work 

The discrete logarithm problem in finite field Fgn, is to compute an integer e such that g' = g'^, 
given a generator g of a subgroup of F*n and g' in the subgroup. The general purpose algorithms 
to solve the discrete logarithm problem are the number field sieve and the function field sieve (for 
a survey see They have time complexity 

exp(c(log g")^/^(log log g")^/^) 

for some constant c, when q is small, or n is small. 

Suppose we want to compute the discrete logarithm of g^ with respect to base g in the finite 
field Fqn. If we know that the Hamming weight of e is equal to w, there is an algorithm proposed 
by Coppersmith, which works well if w is very small. It is a clever adaption of the baby-step giant- 
step idea, and runs in random time 0{^/w[ 

^'°t/2f^))- It is proved in [H] that the average-case 
complexity achieves only a constant factor speed-up over the worst case. It is not clear how his 
idea can be generalized when the exponent has small sum-of-digits in the base q > 2. However, 
we can consider the very special case where e {0, 1} for < i < n — 1 and J2o<i<n~i ~ Lf J ) 
recall that e^'s are the digits of e in the q-aiy expansion. It can be verified that the Coppersmith 
algorithm can be applied in this case. The time complexity becomes 0(y^(j-^^^j)). If g < n^^^\ 
it is much worse than the time complexity of the function field sieve on a general exponent. 

If the (?-ary sum-of-digits of the exponent is bounded by w, is there an algorithm which runs 
in time f (w) log'^ (q^) and solves the discrete logarithm problem in Fqn, for a arbitrary function 
/ and a constant c? A similar problem has been raised from the parametric point of view by 
Fellows and Koblitz [H], where they consider the prime finite fields and the bounded Hamming 
weight exponents. Their problem is listed among the most important open problems in the 
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theory of parameterized complexity [7j. From the above discussions, it is certainly more relevant 
to cryptography to treat the finite fields with small characteristic and exponents with bounded 
sum-of-digits. 

Unlike the case of the integer factorization, where a lot of special purpose algorithms exist, 
the discrete logarithm problem is considered more intractable in general. As an example, one 
should not use a RSA modulo of about 1000 bits with one prime factor of 160 bits. It would 
be vulnerable to the elliptic curve factorization algorithm. However, in the Digital Signature 
Standard, adopted by the U.S. government, the finite field has cardinality about 2^'^^^ or larger, 
while the encryption/decryption is done in a subgroup of cardinality about 2^^'^. As another 
example, one should search for a secret prime as random as possible in RSA, while in the case of 
the discrete logarithm problem, one may use a finite field of small characteristic, hence the group 
of very special order. It is believed that no trapdoor can be placed in the group order, as long 
as it has a large prime factor (see the panel report on this issue in the Proceeding of Eurocrypt 
1992). In order to have an efficient algorithm to solve the discrete logarithm, we need that every 
prime factor of the group order is bounded by a polynomial function on the cardinality of the 
field. Given the current state of analytic number theory, it is very hard, if not impossible, to 
prove that there exists infinite many of finite fields of even (or constant) characteristic, where the 
discrete logarithm can be solved in polynomial time. 

In summary, there are several common perceptions about the discrete logarithm problem in 
finite fields: 

1. As long as the group order has a big prime factor, the discrete logarithm problem is hard. 
We may use exponents with small sum-of-digits, since the discrete logarithm problem in 
that case seems to be fixed parameter intractable. We gain advantage in speed by using 
bounded sum-of-digits exponents, and at the same time keep the problem as infeasible as 
using the general exponents. 

2. If computing discrete logarithm is difficult, it should be difficult for any generator of the 
group. The discrete logarithm problem with respect to one generator can be reduced to 
the discrete logarithm problem with respect to any generator. Even though in the small 
sum-of-digits case, a reduction is not available, it is not known that changing the generator 
of the group affects the hardness of the discrete logarithm problem. 

1.2 Our results 

In this paper, we show that those perceptions are problematic, by studying the discrete logarithm 
problem in large multiplicative subgroups of the Kummer and Artin-Schreier extensions with a 
prescribed generator. We prove that the bounded sum-of-digits discrete logarithm are easy in 
those groups. More precisely we prove constructively: 

Theorem 1 ( Main ) There exists a random algorithm to find the integer e given g and g^ in F^n 
in time polynomial in \og{q^) under the conditions: 

1. n\q — 1; 

2. <e < q", and Sq{e) < n; 
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3. g = a + b where Fg{a) = Fg^, 6 G F* and a" G Fg. 



Moreover, there does not exist an integer e' ^ e satisfying that < e' < q^, Sq{e') < n and 
9'' = 9' 

A few comments are in order: 

• For a finite field F^n, if n\q — 1, then there exists g G F^n satisfying the condition in the 
theorem; if there exists a such that Fg(a) = F^n and a" G Fg, then n\q — 1. 

• As a comparison, Coppersmith's algorithm runs in exponential time in the case where G 
{0, 1} for < i < n — 1, Sg{e) = ^ and q < n^^^\ while our algorithm runs in polynomial 
time in that case. On the other hand, Coppersmith's algorithm works for every finite field, 
while our algorithm works in Kummer fields. Our result has an indirect affect on an arbitrary 
finite field though, since every finite field has extensions of degree close to a given number, 
which are Kummer fields. As an example, suppose we want to find an extension of F^ with 
degree about log^ q. We first pick a random n close to log q such that (n, q) = 1. Let I be the 
order of q in Z/nZ. The field Ff^gi-jn is a Kummer extension of F^;, and an extension of Fg. 
According to Theorem^ there is a polynomial time algorithm which computes the discrete 
logarithm to some element g in F^in provided that the sum-of-digits of the exponent in the 
g'-ary expansion is less than n. Hence our result reveals an unexpected property of the 
discrete logarithm problem in finite fields: the difficulty of bounded sum-of-digits discrete 
logarithm problem drops dramatically if we move up to extensions. 

• Numerical evidences suggest that the order of g is close to the group order — 1, if it does 
not equal to — 1. However, it seems hard to prove it. In fact, this is one of the main 
obstacles in improving the efficiency of AKS-style primality testing algorithm ^ . We make 
the following conjecture. 

Conjecture 1 Suppose that a finite field Fgn and an element g in the field satisfy the 
conditions in Theorem^ In addition, n > logg. The order of g is greater than q""^^ for an 
absolute constant c. 



• Even though we can not prove that the largest prime factor of the order of g is very big, it 
seems, as supported by numerical evidences, that the order of g, which is a factor of — 1 
bigger than 2", is rarely smooth. For instance, in the F2889 = F128127, any g generates the 
whole group F2S89- The order 2^^^ — 1 contains a prime factor of 749 bits. One should not 
attempt to apply the Silver-Pohlig-Hellman algorithm here. 

A natural question arises: can the restriction on the sum-of-digits in Theorem ^ be relaxed? 
Clearly if we can solve the problem under condition Sg{e) < {q — l)n in polynomial time, then 
the discrete logarithm problem in subgroup generated by g is broken. If 5 is a generator of F*„ , 
then the discrete logarithm problem in Fgn and any of its subfields to any base are broken. We 
find a surprising relationship between the relaxed problem and the list decoding problem. We are 
able to prove: 
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Theorem 2 Suppose e is chosen in random from the set 

{0 < e < - 115,(6) < 1.32n}. 

There exists an algorithm given g and g^ in F^n, to find e in time polynomial in log(g"), with 
probability greater than 1 — c~" for some constant c greater than 1, under the conditions: 

1. n\q — 1; 

2. g = a + b where Fq{a) = Fgn, 6 G F* and a" G Fg. 

We also prove a parameterized complexity result concerning the bounded sum-of-digits discrete 
logarithm. 

Theorem 3 There exists an element g of order greater than 2"? in F*q_i, such that the discrete 
logarithm problem with respect to the generator g can be solved in time f{w)log'^{q'^~^), where 
f is a subexponential function and w is the bound of the sum-of-digits of the exponent in q-ary 
expansion. 

This answers an important open question in parameterized complexity for special, yet non- 
negligible many, cases. 

1.3 Organization of the paper 

The paper is organized as follows. In Section|21 we list some results of counting numbers with small 
sum-of-digits. In Section |21 we present the basic idea and the algorithm, and prove Theorem^ 
In Section we prove Theorem |2l and Theorem El In Section 13 we extend the results to Artin- 
Schreier extensions. We conclude our paper with discussions of open problems. 

2 Numbers with Small Sum-of-digits 

Suppose that the q-ary expansion of a positive integer e is 

e = eo + eiq + e2q^ H h Cn-iq"^'^ , 

where < < (; — 1 for all < i < n — 1. How many nonnegative integers e less than satisfy 
Sq{e) = w? The number equals to the number of nonnegative integral solutions of 

n-1 
1=0 

under the conditions that < ei < q — 1 for all < i < n — 1. Denote the number by N{w, n, q). 
The generating function for N{w,n,q) is 

(1 + X + • • • + x"?-^)" = ^ih n, q)x\ 
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If w < g — 1, then the conditions ei < q — 1 can be removed, we have that N(w, n, q) = {^^^i ^) • 
It is easy to see that if g = 2, we have that N{w, n, 2) = (^) . In the later section, we will need to 
estimate N{w,n,q), where it; is n times a small constant less than 2. Since 

1 — t1 

oo 



t^V n-l J 
(1-nx'?) E ('^"l/)^* (modx^?) 

4—n ^ / 



1=0 ^ -' i=q ^ ^ ^ ' 

Hence N{w,n,q) = C"+"7^) - nf^^^""^) if q < w < 2q. 



3 The Basic Ideas and the Algorithm 

Our basic idea is adopted from the index calculus algorithm. Let F^n be a Kummer extension of 
Fg, namely, n\q — 1. Assume that q = p'^ where p is the characteristic. The field F^n is usually 
given as Fp[x]/{u{x)) where u{x) is an irreducible polynomial of degree dn over Fp. If g satisfies 
the condition in Theorem Q then — a" must be an irreducible polynomial over Fg. Denote a" 
by a. To implement our algorithm, it is necessary that we work in another model of F^n, namely, 
Fg[x]/(x" — a). Fortunately the isomorphism 

i; : Fp[y]/{u{y)) ^ F,n = Fjx]/(x" - a) 

can be efficiently computed. To computer ip{v{y)), where v{y) is a polynomial of degree at most 
dn — 1 over Fp, all we have to do is to factor u{y) over Fg[x]/(x" — a), and to evaluate v{y) at one 
of the roots. The random algorithm runs in expected time 0{dn{dn + log log t;")^), and 

the deterministic algorithm runs in time 0{dn{dn + q){dnlogq"')'^). From now on we assume the 
model Fq[x]/{x"- — a). 

Consider the subgroup generated hy g = a + b in {Fq[x]/{x"' — a))*, recall that b £ F* and 
a = X (mod — a). The generator g has order greater than 2"" [S], and has a very nice property 

9-1 

as follows. Denote a " hy h, we have 

gi = (a + by = a'^ + b = a^a + b = ha + b, 

and more generally 

(a + bf =a'^' +b = h'a + b. 

In the other word, we obtain a set of relations: log„_|_^(/i*a + 6) = for < i < n — 1. This 
corresponds to the precomputation stage of the index calculus. The difference is that, in our 
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case, the stage finishes in polynomial time, while generally it requires subexponential time. For a 
general exponent e, 

(a + by = {a + 5)eo+ei<?+-+e„_iq"-i = + hf'iha + hf' ■ ■ ■ {h'a + bf^ • • • (/i""1q + by-\ 

If /(q) is an element in F^n, where / G Fg[x] is a polynomial of degree less than n, and /(a) = 
{a + ty and 5*5(6) < n, then due to unique factorization in Fq[x], /(x) can be completely split into 
the product of linear factors over Fg. We can read the discrete logarithm from the factorizations, 
after the coefficients are normalized. The algorithm is described as follows. 

Algorithm 1 Input: g, g^ in F^n = Fg[x]/(x"' — a) satisfying the conditions in Theorem^ 
Output: e. 

1. Define an order in Fg (for example, use the alphabetic order). Compute and sort the list 
il,h,h^,h^,--- ,^"'^)- 

2. Suppose that g^ is represented by f{a), where f £ Fq[x] has degree less than n. Factoring 
f{x) over Fg, let f{x) = c{x + di)^^ • • • (x + dfc)'^* where c,di, • • • ,dk are in Fg. 

3. (Normalization) Normalize the coefficients and reorder the factors of f{x) such that their 
constant coefficients are b and f{x) = (x + by^ ■ ■ ■ (hn-ix + by^-^ , where hi = /i*; 

4. Output eo + eiq-\ h e„_ig"~^; 

The step n takes time 0(nlog^ glogn + nlognlogg) = 0(n log n log^ g). The most time- 
consuming part is to factor a polynomial over Fg with degree at most n. The random algo- 
rithm runs in expected time 0{n{n + logg)(nlogg)^) and the deterministic algorithm runs in 
time 0{n{n + q)(nlogg)^) = 0(n^g log^g). Normalization and reordering can be done in time 
0(n log n log g), since we have a sort list of {1, h, h'^ , h^^ , ■ ■ ■ ,h'^~^). The total time complexity 
is thus in random time 0{n{n + logg)(nlogg)^) and in deterministic time 0{n^qlog'^ q). This 
concludes the proof of the main theorem. 

4 The Parameterized Complexity and The Apphcation of List 
Decoding 

A natural question arises: can we relax the bound on the sum-of-digits and still get a polynomial 
time algorithm? Solving the problem under the condition Sq{e) < {q — l)n basically renders the 
discrete logarithm problems in Fgn and any of its subfields easy. In this section, we consider the 
case when ^^(e) < 1.32n. Suppose that g^ = f{a) where /(x) G Fq[x] has degree less than n. 
Use the same notations as in the previous section, we have 

/(a) = (a + by\ha + by^ ■ ■ ■ {h'^-^a + by^-K 

Hence there exists a polynomial t(x) with degree less than 0.32n such that 

fix) + (x" - a)t(x) = (x + by^ihx + by ■ ■ ■ (/i"-^x + by-K 



7 



If there are at least 0.5657n > V0.32n • n number of nonzero e^'s, then the curve y = t{x) will 
pass at least 0.5657n point in the set 

r/- /(O M- r , ^ ^ n 

To find all the polynomials of degree less than 0.32n, which pass at least 0.5657n points in a given 
set of n points, is an instance of the list decoding problem. It turns out that there are only a few 
of such polynomials, and they can be found efficiently. 

Proposition 1 (Gurusw ami- Sudan 11 Oj ) Given n distinct elements xq,xi,--- ,Xn~i G Fq, n 
values yo) yii ■ ■ ■ ) yn~i G and a natural number k, there are at most 0{V n^k) many univariate 
polynomials t{x) G Fg[x] of degree at most k such that yi = t{xi) for at least \fnk many points. 
Moreover, these polynomials can be found in random polynomial time. 

For each t{x), we use the Cantor-Zassenhaus algorithm to factor f{x) + (x" — a) * t{x). There 
must exist a t{x) such that the polynomial f{x) + (x" — a) * t{x) can be completely factored into 
a product of linear factors in {/I'^'x + 5|0<i<n — 1}, and e is computed as a consequence. In 
order to prove Theorem |21 it remains to show: 

Lemma 1 Define 

An,q = {{xi,X2, • • • , x„) \ Xi + X2 + ■ ■ ■ + Xn < 1.32n, Xj G Z and < Xi < q — 1 for 1 < i < n.} 
and 

Bn = {ixi,X2, ■■■ ,Xn) \ \{i\xi = 0}| > 0.5657n}. 

We have 



I A I 
I ■'^n,g I 



for some constant c > 1 when n is sufficiently large. 

Proof: The cardinality of A„,g is N{i,n,q) > (^•^^") > 4.883987...". The cardinality 

of An^q n Bn is less than Ylv=lo 5657n] Cj){n-v-i)- '^^^ summands maximize at t; = 0.5657n if 
V > 0.5657n. Hence we have 



E 

v=[0.5657n] 



n\ f [1.32nJ 
V } \n — V — 1 



< °-'''^"lr0.5657nlJUo.4343njJ 

< 4.883799..." 

This proves the lemma with c = 4.883987... /4.883799... > 1. □ 



Now we are ready to prove Theorem|31 Any f[x) where /(a) = {a + bY G< a + b >C F^q-i is 
congruent to a product of at most w = Sq{e) linear factors modulo x'^~^ — a. If w < g — 1, we have 
an algorithm running in time 0(g^log^ q), according to Theorem ^ So we only need to consider 
the case when w > q — 1. The general purpose algorithm will run in random time /(logg'^~^), 
where / is a subexponential function. Since logg'^"^ < wlogw, this proves Theorem |S1 
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5 Artin-Schreier Extensions 



Let p be a prime. The Artin-Schreier extension of a finite field Fp is Fpp. It is easy to show 
that — X — a = is an irreducible polynomial in Fp for any a G F*. So we may take FpP = 
Fp[x]/(xP — X — a). Let a = x (mod x^ — x — a). For any b £ Fp, we have 

(a + 6)P = + 6 = a + 6 + a, 

and similarly 

(a + bf' = + b = a + b + ia. 

Hence the results for Kummer extensions can be adopted to Artin-Schreier extensions. For the 
subgroup generated by a + 6, we have a polynomial algorithm to solve the discrete logarithm if 
the exponent has p-ary sum-of-digits less than p. Note that b may be in this case. 

Theorem 4 There exists an algorithm to find the integer e given g and g'^ in Fpv in time poly- 
nomial in logp^ under the conditions: 

1. 0<e<pP, and Sq{e) <p-l; 

2. g = a + b where Fp(a) = Fpp, 6 S Fg and + a e F*. 

Moreover, there does not exist an integer e' ^ e satisfying that < e' < pP , Sq{e') < n and 

Theorem 5 There exists an element g of order greater than IP in F*p , such that the discrete loga- 
rithm problem with respect to g can be solved in time 0{f (w) (log pt^) ), where f is a subexponential 
function and w is the bound of the sum-of-digits of the exponent in the p-ary expansion. 

Theorem 6 Suppose that g = a + b, where Fp(a) = FpP, 6 E Fp and + a £ Fp. Suppose e is 
chosen in random from the set 

{0 < e < - 115,(6) < 1.32n}. 

There exists an algorithm given g and g^ in FpP, to find e in time polynomial in log(p^), with 
probability greater than 1 — c~" for some constant c greater than 1. 

6 Conclusion Remarks 

A novel idea in the celebrated AKS primality testing algorithm, is to construct a subgroup of large 
cardinality through linear elements in finite fields. The subsequent improvements jlj |SJ 0] rely 
on constructing a single element of large order. It is speculated that these ideas will be useful in 
attacking the integer factorization problem. In this paper, we show that they do affect the discrete 
logarithm problem in finite fields. We give an efficient algorithm which computes the bounded 
sum-of-digits discrete logarithm with respect to prescribed bases in Kummer fields. We emphasize 
that this is more than a result which deals with only special cases, as every finite field has 
extensions of reasonable degrees which are Kummer fields. One of the most interesting problems 
is to further relax the restriction on the sum-of-digits of the exponent. Another important open 
problem is to prove Conjecture ^ If that conjecture is true, the AKS-style primality proving can 
be made compatible or better than ECPP or the cyclotomic testing in practice. 
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